On Tue, 2009-03-17 at 14:06 -0400, Adam Jackson wrote: > On Mon, 2009-03-16 at 12:52 -0700, Eric Anholt wrote: > > On Fri, 2009-03-13 at 13:46 -0400, Adam Jackson wrote: > > > Currently, if you start X without -ac and without -auth, the default > > > connection policy is to allow connections from localhost. In > > > particular, this means on every IPv[46] address, and any local > > > transports including unix sockets. > > > > > > I'd like to see a mode where the default policy is effectively > > > +si:localuser:`id -un`, which would allow connections only from the uid > > > that started the server. This is effectively the policy everyone's > > > trying to implement with xauth cookies, but cookies have to get stored > > > on disk somewhere which sucks for NFS and r/o images, etc. For the gdm > > > case, the display manager would add the real user to the access list > > > once they've been authed, and then remove itself and start the session > > > as the user. > > > > > > Normally I'd just change the default here, but I think this might be a > > > significant enough difference in behaviour that you should have to ask > > > for it. So. New -localuser option? Change the default? Bad idea, > > > give up, take up farming? > > > > It sounds sensible, the only thing I'm concerned about is whether with > > this new default I could sudo <X app> and still get success. > > It's not particularly well specified, at least for > getsockopt(SO_PEERCRED). The Linux implementation appears to give you > the effective UID, not real, so suid apps would fail. I'm not sure what > the other OS's implement offhand.
And sudo would fail as well? That's extremely uncool. Unless the plan is to add +si:localuser:0 as well. -- Eric Anholt e...@anholt.net eric.anh...@intel.com
signature.asc
Description: This is a digitally signed message part
_______________________________________________ xorg-devel mailing list xorg-devel@lists.x.org http://lists.x.org/mailman/listinfo/xorg-devel